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System, Method and Computer Program Product 
FOR Precluding Writes to Critical Files 

Field of the Invention 

5 

The present invention relates to network security management, and more 
particularly to preventing critical files jfrom being overwritten or altered by a virus or other 
malicious code. 

10 Background of the Invention 

n 

f y Network security management is becoming a more difficult problem as networks 

grow in size and become a more integral part of organizational operations. Attacks on 
in networks are growing both due to the intellectual challenge such attacks represent for 

1 5 hackers and due to the increasing payoff for the serious attacker. Furthermore, the 
;in attacks are growing beyond the current capability of security management tools to 

I U identify and quickly respond to those attacks. As various attack methods are tried and 

□ ultimately repulsed, the attackers will attempt new approaches with more subtle attack 

■ " features. Thus, maintaining network security is on-going, ever changing, and an 

20 increasingly complex problem. 

Computer network attacks can take many forms and any one attack may include 
many security events of different types. Security events are anomalous network 
conditions each of which may cause an anti-security effect to a computer network. 
25 Security events include steaUng confidential or private information; producing network 
damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming 
the network's capacities in order to cause denial of service, and so forth. 
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Network security risk-assessment tools, i.e. "scanners," may be used by a 
network manager to simulate an attack against computer systems via a remote 
connection. Such scanners can probe for network weaknesses by simulating certain 
5 types of security events that make up an attack. Such tools can also test user passwords 
for suitability and security. Moreover, scanners can search for known types of security 
events in the form of malicious programs such as viruses, worms, and Trojan horses. 

One common technique for preventing a security event is to preclude the 
10 fulfillment of write requests to sensitive files (i.e. executable files, etc.). U.S. Pat. No.: 
U 6,073,239 to Dotan teaches such a system. In particular, a method is disclosed for 

protecting executable computer programs against infection by a computer virus 
■ y program. The method prevents writing operations that attempt to modify portions of the 
m program, such as the program's entry point or first instructions. A writing operation that 

:|V 15 attempts to write data to the program is intercepted and analyzed before the operation is 
f allowed to be processed. The method selects significant data and stores the data, in 

hill 

fU order to retain information indicative of the program prior to any modification thereof 

p The method then determines if the writing operation is attempting to modify the 

; ^ significant data, and if it is determined that the writing operation is attempting to modify 

20 the data, an alarm is generated and operation is denied. If it is determined that the 

writing operation is not attempting to modify the data, the writing operation as allowed 
to continue. Additionally, the program can be restored to its initial state using the stored 
information and data. The method further uses the stored data indicative of the 
significant data of the program to restore the program to its initial state and undo all the 
25 modifications that the virus may have made to the program. 

Unfortunately, such systems have significant limitations in that they are not 
dynamic, they can not be tailored to a particular system, they do not take into account 
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the application that makes the write request, and they do not consider the location of the 
file to be written. There is thus a need for a technique of overcoming these and various 
other related disadvantages and shortcomings associated witii the prior art. 



NAI1P055/01.228.01 



Disclosure of the Invention 



A system, method and computer program product are provided for preventing 
writes to critical files. Initially, factors associated with a computer are identified. Then, 
requests to write to files on the computer are monitored. The writes to the files on the 
computer are conditionally prevented based on the factors to prevent virus proliferation, 
hi use, the factors are altered based on the monitoring of the requests. 

In one embodiment, the factors are selected firom the group consisting of critical 
files, critical file locations, and trusted applications. Such factors may be user 
configurable. Further, the factors may be identified in a registry. 

hi another embodiment, the factors may include critical files associated with an 
operating system of the computer. In addition, the factors may include critical file 
locations associated with an operating system of the computer. Such critical file 
locations may include folders. Still yet, the factors may include trusted appUcations that 
initiate the requests. 

In still another embodiment, the factors may be updated based on a user request. 
Further, the factors may be updated from a remote location via a network. Also, the 
factors maybe updated based at least in part on the manner and nature of the write 
requests. By these updates, the present embodiment may "learn" about the system, and 
better prevent writes to critical files. 

hi use, writes to the files on the computer may also be conditionally prevented 
based on a user confirmation. Still yet, the factors may be updated based on the user 
confirmation. 
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Brief Description of the Drawings 



Figure 1 illustrates a network architecture, in accordance with one embodiment. 

Figure 2 shows a representative hardware environment that may be associated 
with the data servers and computers of Figure 1, in accordance with one embodiment. 

Figure 3 illustrates a method for generating a plurality of factors on which 
critical file write-protection may be based. 

Figure 4 illustrates an exemplary data structure that results from the method of 
Figure 3. 

Figure 5 is a flowchart showing a method for conditionally preventing writes to 
files, in accordance with one embodiment. 
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description of the Preferred Embodiments 

Figure 1 illustrates a network architecture 100, in accordance with one 
5 embodiment. As shown, a plurality of networks 102 is provided. In the context of the 
present network architecture 100, the networks 102 may each take any form including, 
but not limited to a local area network (LAN), a wide area network (WAN) such as the 
Internet, etc. 

10 Coupled to the networks 102 are data servers 104 which are capable of 

communicating over tiie networks 102. Also coupled to the networks 102 and the data 
□ servers 104 is a plurality of end user computers 106. In the context of the present 

i U description, such end user computers 106 may include a web server, desktop computer, 

m lap-top computer, hand-held computer, printer or any other type of hardware/software. 

m 15 

In order to facilitate communication among the networks 102, at least one 
m gateway 108 is coupled therebetween. It should be noted that each of the foregoing 

■!y network devices as well as any other unillustrated devices may be interconnected by 

i;3 way of a plurality of network segments. 

20 

While shown attached to the gateway 108, any of the foregoing components 
and/or segments may be equipped with a scanner 120 including anti-virus scanning 
software. Such scanner 120 may be equipped to probe for network weaknesses by 
simulating certain types of security events that make up an attack. Such scanner 120 
25 may also test user passwords for suitability and security. Moreover, the scanner 120 
may also search for known types of security events in the form of malicious programs 
such as viruses, worms, and Trojan horses. Still yet, [0]the scanner 120 may be adapted 
for content filtering to enforce an organization's operational policies [i.e. detecting 
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harassing or pornographic content, junk e-mails, misinformation (virus hoaxes), etc.]. 
Of course, the scanner 120 may take any other sort of security measures. 

Instead of or in addition to the foregoing capabilities, the scanner 120 may 
5 operate to prevent critical files from being written. Initially, factors associated with a 
computer are identified. Then, requests to write to files on the computer are monitored. 
The writes to the files on the computer are conditionally prevented based on the factors 
to prevent virus proliferation. In use, such factors are altered based on the monitoring of 
the requests. 

10 

1^ By this design, writes to critical files are prevented based on certain factors. 

0 Moreover, such factors are updated during and based on use of the system. More 
fU information regarding an exemplary application of such technique will be set forth 

: s : 

.iS hereinafter in greater detail. 

15 

Figure 2 shows a representative hardware environment that may be associated 
III with the data servers 104 and/or end user computers 106 of Figure 1, in accordance with 

one embodiment. Such figure illustrates a typical hardware configuration of a 
□ workstation in accordance with a preferred embodiment having a central processing unit 

20 210, such as a microprocessor, and a number of other units interconnected via a system 
bus 212. 

The workstation shown in Figure 2 includes a Random Access Memory (RAM) 
214, Read Only Memory (ROM) 216, an FO adapter 218 for connecting peripheral 
25 devices such as disk storage units 220 to the bus 212, a user interface adapter 222 for 
connecting a keyboard 224, a mouse 226, a speaker 228, a microphone 232, and/or other 
user interface devices such as a touch screen (not shown) to the bus 212, communication 
adapter 234 for coimecting the workstation to a communication network 235 (e.g., a 
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data processing network) and a display adapter 236 for connecting the bus 212 to a 
display device 238. 

The workstation may have resident thereon an operating system such as the 
5 Microsoft Windows NT or Windows/95 Operating System (OS), the IBM OS/2 

operating system, the MAC OS, or UNIX operating system. It will be appreciated that a 
preferred embodiment may also be implemented on platforms and operating systems 
other than those mentioned. A preferred embodiment may be written using JAVA, C, 
and/or €++ language, or other programming languages, along with an object oriented 
1 0 programming methodology. Object oriented programming (OOP) has become 
increasingly used to develop complex applications. 

•tvs 

i 3 Figure 3 illustrates a method 300 for generating a plurality of factors on which 

i:fl critical file write-protection may be based. In one embodiment, the present method 300 

iff 

l2 1 5 may be used in the context of a scanner like that mentioned hereinabove during 

reference to Figure 1 . Of course, the present techniques may be utiUzed in any desired 

\txaa 

fU context. 

I'll 

; Initially, an operating system associated with a system to be monitored is 

20 identified. Note operation 301 . It should be noted that each operating system may be 
identified as a particular brand, type, version, etc. hi addition to the particular operating 
system, certain applications may also be identified along with any other particular 
feature or aspect of the system. 

25 Once identified, various critical files are looked up based on the identified 

operating system and any other of the foregoing characteristics. See operation 302. In 

one embodiment, this may be accompHshed by maintaining a local or remote default Ust 
of critical files for each known operating system, appUcation, etc. As will soon become 
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apparent, such default list of critical files may be updated during use of the system as the 
scanner "leams" about the use thereof. 

In addition to using the default Ust, critical file entries may also be identified 
from a registry in operation 304. A registiy typically includes information such as what 
hardware is attached to the system, what system options have been selected, how 
computer memory is set up, and what application programs are to be present when the 
operating system is started. 

It shovdd be noted that certain files may be deemed critical files based on an 
extension thereof For example, executable files with a *.EXE extension may be 
considered critical by default. Li a similar manner, files with a *.DLL may also be 
deemed critical. 

hi addition to critical files, critical file locations may be identified in operation 
306. Such critical file locations may each include a particular directory, folder or other 
portion of memory where critical files are stored. For example, an operating system 
directory or folder may be considered a critical file location, while a temporary file 
location would not. Such critical file locations may be identified in a manner similar or 
different from that associated with the critical file identification process. 

Still another factor to be identified includes txusted applications that will be 
accessing the various files and file locations. See operation 308. Similar to the critical 
file locations, the tinsted applications may be identified in a manner similar or different 
fi-om that associated with the critical file identification process. In the context of the 
present description, the applications may be identified based on a type, version, location, 
etc. thereof. For example, any local application not located remote from a system may 
be considered trusted. 
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It should be noted that the various factors may be selected and updated in any 
desired manner. For example, if it is determined that a user wishes to manually 
contribute to the configuration process in decision 310, any one of the foregoing factors 
5 may be added, removed, or otherwise altered per the desires of the user. See operation 
312. This may be accompUshed utilizing any desired interface. Further, if it is 
determined an administrator or other remote agent wishes to manually or automatically 
contribute to the configuration process in decision 314, any one of the foregoing factors 
may be added, removed, or otherwise altered remotely via a network. See operation 
10 316. 

i . 

Utts 

' f It should be noted that the foregoing factors may influence a decision to preclude 

y 

f y the fulfillment of a write request in order to prevent the proliferation of a virus or any 
m damaging consequences associated therewith. 

15 

Figure 4 illustrates an exemplary data structure 400 that results fi^om the method 
m 300 of Figure 3. Of course, the various factors may be organized, stored, etc. in any 

\^ desired manner. As shown in Figure 4, the data structure 400 includes a plurality of 

Q critical files 406, a plurality of critical file locations 408, and trusted applications 410, 

20 

Figure 5 is a flowchart showing a method 500 for conditionally preventing 
writes to files, in accordance with one embodiment. Provided with a hst of factors such 
as those set forth during reference to Figure 4, the present method 500 is capable of 
conditionally preventing writes to files based on the factors. Further, the present 
25 method 500 is adapted for updating the factors during the course of use of the system, in 
a manner that will soon become apparent. 
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The present method 500 is initiated upon the receipt of a write request in 
operation 501. Such write request may be initiated in any desired manner. For 

example, the write request may be received from a user, an application, from a remote 
computer, etc. Further, the write request may identify a file to be written. 

5 

It is then determined in decision 502 whether the location of the file to be 
written is in a critical file location. This may be accompHshed by simply comparing the 
file location with a data structure like that shown in Figure 4. If not, the write may be 
permitted in operation 512. As an option, additional security features may be initiated 
1 0 before permitting such write. 

If, however, it is determined in decision 502 that the location of the file to be 
written is in a critical file location, it is then determined whether the application 
initiating such write request is trusted. See decision 504, Again, this may be 
15 accompUshed by simply comparing the application with a data structure like that shown 
in Figure 4. Ifthe application is not trusted, the user is alerted in operation 506, This 
may be accomplished in any desired maimer. For example, a visual notification may be 
displayed on the computer or at any remote location. 

20 Next, it is determined in decision 508 whether a user will permit the write 

request from the untrusted application. This may be accomplished by simply prompting 
the user to OK the write utilizing a pop-up window or the like. Ifthe user does not OK 
the write, the write and any access to the file maybe denied in operation 510, after 
which the method 500 is terminated imtil another write request is received, 

25 

If, however, the user does OK the write, it is then determined whether the user is 
permitting the fulfillment of the present write request from the untrusted appUcation, or 
all fiiture write requests from the untrusted application. See decision 512. Again, this 
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may be accomplished by simply prompting the user to decide using a pop-up window or 
the like. If the user wishes to permit all future write requests from the untrusted 
application in decision 512, the application may be added as a trusted application in a 
data structure such as that of Figure 4. In any case, the write is permitted in operation 
5 512. 



i u 



Returning again to decision 504, if it is determined that the appKcation initiating 
such write request is trusted, it is then determined whether the file is critical. See 
decision 514, Similar to before, this may be accomplished by simply comparing the 
10 appHcation with a data structure Hke that shown in Figure 4. If the file is critical, the 
user is alerted to this fact in operation 516. This may be accomplished in any desired 
maimer. For example, a visual notification may be displayed on the computer or at any 
remote location. 



15 Next, it is determined in decision 518 whether a user will permit the write to the 

critical file. This may be accomplished by simply prompting the user to OK the write 
utilizing a pop-up window or the like. If the user does not OK the write, the write and 
^ any access to the file may be denied in operation 520, after which the method 500 is 

terminated until another write request is received. 

20 

If, however, the user does OK the write, it is then determined whether the user is 
permitting the fixlfilhnent of the present write request to the critical file, or all fixture 
write requests to the critical file. See decision 522. Again, this may be accomplished 
by simply prompting the user to decide using a pop-up window or the like. If the user 
25 wishes to permit all fiiture writes to the critical file in decision 522, the crucial file may 
be removed as a critical file in a data structure such as that of Figure 4. In any case, the 
write is permitted in operation 512. 
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While various embodiments have been described above, it should be understood 
that they have been presented by way of example only, and not hmitation. For example, 
any of the network elements may employ any of the desired functionality set forth 
hereinabove. Thus, the breadth and scope of a preferred embodiment should not be 
limited by any of the above-described exemplary embodiments, but should be defined 
only in accordance with the following claims and their equivalents. 
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